SEC Postpones Final Rule on Cyber Incident Disclosures
The Securities and Exchange Commission (SEC) was scheduled to release a final rule, mandating publicly traded companies to disclose important cyber breaches in their regulatory filings within four days of discovering a breach. The decision has been postponed until October 2023, prolonging the process. In March 2022, a draft rule was introduced to enhance transparency regarding cybersecurity incidents occurring within publicly traded companies.
The proposed rule required publicly traded companies to make sure that investors know about important cybersecurity incidents and make known details regarding cybersecurity governance, the condition of board competence in managing cybersecurity occurrences, and the participation of top management in cyber threats. In February 2022, a new rule was additionally suggested for investment consultants, authorized investment firms, and business growth companies requiring them to create, utilize, and manage written cybersecurity guidelines and procedures to deal with cybersecurity threats.
Regulatory improvements that compel publicly traded firms to report cyber attacks were deemed necessary because many were opting not to report these occurrences to avoid prospective lawsuits and lessen reputational damage. Merely one-fourth of ransomware attacks are documented by public authorities since the reporting of cyberattacks is not mandatory. The proposed rules went through two periods of commenting, and there were over 175 comments received in relation to the proposed cyber rules. The final rule is likely to be released as soon as April 3, 2023; nevertheless, the SEC has already mentioned in a new update to its rulemaking schedule that its new cyber rules won’t be released until October 2023. The SEC didn’t give an explanation for the delay; even so, there is substantial opposition to the proposed rules.
Although the new requirements for enhancing transparency received extended support, the problem is in the details, particularly the requirement for 4-day reporting, which a lot of commenters think would impede the capability of public organizations to stop, inspect, remediate, and protect against cybersecurity problems. The cybersecurity company, Rapid7, cautioned that the 4-day disclosure due date means organizations that come across security breaches would be compelled to freely divulge the incidents prior to their being completely secured, and that will notify hackers and make the organizations more susceptible and could result in increased harm to investors. Rapid7 asked that companies be permitted to hold off reporting until the full remediation of a cyber incident.
The U.S. Chamber of Commerce stated the SEC is trying to micromanage company cybersecurity plans and the proposed rule wouldn’t automatically secure investors. The SEC was belittled for the 4-day reporting time since it didn’t provide companies enough time to assess the seriousness of security occurrences. The demand to share whether or not the board has cybersecurity competence was furthermore belittled since it can result in awkward and undesirable results, like providing investors with an incorrect degree of confidence in the capability of a company to handle the security occurrence. In its responses, the Chamber of Commerce stated it will be hard even for NIST to determine what comprises knowledge or experience in cybersecurity that will generate extensive agreement among market specialists.
Nevada Consumer Health Data Bill Approved
A new consumer health data privacy bill has been signed by the Nevada governor. This law protects consumer health data privacy and provides Nevada locals with new rights with regard to their health information. Senate Bill (SB) 370 was patterned after Washington’s “My Health, My Data (MHMD) bill, though less extensive. The new bill is applicable to entities that do business in Nevada or manufacture or offer goods and services that are geared towards customers in Nevada and, whether alone or together with others, identify the reason and ways of processing, sharing, or marketing consumer health information. Exceptions consist of law enforcement institutions and their providers, and entities subject to the Gramm-Leach-Bliley Act (BLBA), and the Health Insurance Portability and Accountability Act (HIPAA).
The new bill is applicable to consumer health information, which refers to personally identifiable information (PII) that is associated with or can be sensibly related to a consumer that a covered entity utilizes to distinguish the past, current, or future health condition of an individual, but does not include data for particular research functions, public health requirements, FERPA-covered information, and health information gathered and disclosed as approved by other state or government legislation, and a number of other reasons.
Consumer health information includes details regarding any health status, illness, or diagnosis; behavioral, social psychological, or medical treatment; surgical procedures or health-related operations; use or purchase of medicine; bodily functions, symptoms, or vital signs; sexual or reproductive health care; gender-affirming care; biometric/genetic information; exact geolocation data and medical details taken or deduced from non-health information.
The new legislation provides consumers with new rights regarding their health data, such as the right to verify if a regulated business is acquiring, sharing, or marketing their health information, get a listing of all third parties that obtained or purchased their health information, the right to stop a company from processing, giving, or peddling their health information, and the right to delete their health information. When it comes to the last mentioned, covered entities must delete information and inform affiliates, processors, and providers of the removal request in 30 days. Entities must respond to consumer requests without unnecessary delay and not beyond 45 days after an authenticated request.
Regulated businesses need to acquire positive, voluntary permission for the collection and disclosure of consumer health information and get written, signed consent prior to allowing the purchase of consumer health information. Covered businesses must have a consumer health data privacy guideline, limit access to consumer health information to staff and processors that require data access, maintain reasonable security procedures, and set up a customer appeals procedure. A privacy policy should be visible on a covered business’s main Website that clearly talks about how consumer health information is obtained and utilized, the types of entities with whom the data will be provided, and clearly state consumer rights, like the process for reviewing, asking modifications, and removing consumer health information. Covered entities are forbidden from geofencing healthcare establishments (within 1,750 ft) for identifying/monitoring consumers getting or receiving healthcare, acquiring health information from consumers, or delivering health information or healthcare-associated notices, announcements, or ads to consumers.
The new bill will be effective starting March 31, 2024, then the state Attorney General can enforce financial penalties on the non-compliant; nonetheless, there’s no private cause of action, therefore consumers cannot file suit against entities that have ruined their privacy by means of not complying with the law.